Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/dev/usb PR/46338: Nat Sloss: Prevent ubt synchronization...
details: https://anonhg.NetBSD.org/src/rev/b0057c02883e
branches: trunk
changeset: 778995:b0057c02883e
user: christos <christos%NetBSD.org@localhost>
date: Tue Apr 24 20:04:49 2012 +0000
description:
PR/46338: Nat Sloss: Prevent ubt synchronization loss from overwriting memory.
diffstat:
sys/dev/usb/ubt.c | 23 +++++++++++++++--------
1 files changed, 15 insertions(+), 8 deletions(-)
diffs (51 lines):
diff -r ca8a99831a0e -r b0057c02883e sys/dev/usb/ubt.c
--- a/sys/dev/usb/ubt.c Tue Apr 24 19:14:06 2012 +0000
+++ b/sys/dev/usb/ubt.c Tue Apr 24 20:04:49 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ubt.c,v 1.46 2012/04/05 16:31:53 plunky Exp $ */
+/* $NetBSD: ubt.c,v 1.47 2012/04/24 20:04:49 christos Exp $ */
/*-
* Copyright (c) 2006 Itronix Inc.
@@ -67,7 +67,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ubt.c,v 1.46 2012/04/05 16:31:53 plunky Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ubt.c,v 1.47 2012/04/24 20:04:49 christos Exp $");
#include <sys/param.h>
#include <sys/device.h>
@@ -1672,10 +1672,7 @@
if (got + size > want)
size = want - got;
- if (got + size > MHLEN)
- memcpy(ptr, frame, MHLEN - got);
- else
- memcpy(ptr, frame, size);
+ memcpy(ptr, frame, size);
ptr += size;
got += size;
@@ -1687,8 +1684,18 @@
* length to our want count. Send complete
* packets up to protocol stack.
*/
- if (want == sizeof(hci_scodata_hdr_t))
- want += mtod(m, hci_scodata_hdr_t *)->length;
+ if (want == sizeof(hci_scodata_hdr_t)) {
+ uint32_t len =
+ mtod(m, hci_scodata_hdr_t *)->length;
+ want += len;
+ if (len == 0 || want > MHLEN) {
+ aprint_error_dev(sc->sc_dev,
+ "packet too large %u "
+ "(lost sync)\n", len);
+ sc->sc_stats.err_rx++;
+ return;
+ }
+ }
if (got == want) {
m->m_pkthdr.len = m->m_len = got;
Home |
Main Index |
Thread Index |
Old Index